chore(release): bump version to 0.9.19-rc.4

- Add production Docker Compose configuration

- Add check_auth.py diagnostic script for session 401 debugging

Docker/compose.prod.yml

@@ -0,0 +1,105 @@
+# ──────────────────────────────────────────────────────────────
+#  BanGUI — Production Compose
+#
+#  Usage:
+#    docker compose -f Docker/compose.prod.yml up -d
+#    podman compose -f Docker/compose.prod.yml up -d
+#
+#  Features:
+#    - Multi-stage built images (no volume-mounted source code)
+#    - Frontend served by nginx with API reverse proxy
+#    - Backend running uvicorn without --reload
+#    - Only port 8080 exposed to host
+# ──────────────────────────────────────────────────────────────
+
+name: bangui
+
+services:
+  # ── fail2ban ─────────────────────────────────────────────────
+  fail2ban:
+    image: lscr.io/linuxserver/fail2ban:latest
+    container_name: bangui-fail2ban
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    network_mode: host
+    environment:
+      TZ: "${BANGUI_TIMEZONE:-UTC}"
+      PUID: 0
+      PGID: 0
+    volumes:
+      - ../data/fail2ban-dev-config:/config
+      - fail2ban-run:/var/run/fail2ban
+      - /var/log:/var/log:ro
+      - ../data/log:/remotelogs/bangui
+    healthcheck:
+      test: ["CMD", "fail2ban-client", "ping"]
+      interval: 30s
+      timeout: 5s
+      start_period: 15s
+      retries: 3
+
+  # ── Backend (FastAPI + uvicorn) ─────────────────────────────
+  backend:
+    build:
+      context: ..
+      dockerfile: Docker/Dockerfile.backend
+      target: runtime
+    container_name: bangui-backend
+    restart: unless-stopped
+    depends_on:
+      fail2ban:
+        condition: service_healthy
+    environment:
+      BANGUI_DATABASE_PATH: "/data/bangui.db"
+      BANGUI_FAIL2BAN_SOCKET: "/var/run/fail2ban/fail2ban.sock"
+      BANGUI_FAIL2BAN_CONFIG_DIR: "/config/fail2ban"
+      BANGUI_LOG_FILE: "/data/log/bangui.log"
+      BANGUI_LOG_LEVEL: "${BANGUI_LOG_LEVEL:-info}"
+      BANGUI_SESSION_SECRET: "${BANGUI_SESSION_SECRET:?BANGUI_SESSION_SECRET must be set — generate with: python -c 'import secrets; print(secrets.token_hex(32))'}"
+      BANGUI_TIMEZONE: "${BANGUI_TIMEZONE:-UTC}"
+      BANGUI_SESSION_COOKIE_SECURE: "${BANGUI_SESSION_COOKIE_SECURE:-true}"
+      BANGUI_CORS_ALLOWED_ORIGINS: "${BANGUI_CORS_ALLOWED_ORIGINS:-}"
+    volumes:
+      - ../data:/data
+      - ../fail2ban-master:/app/fail2ban-master:ro
+      - fail2ban-run:/var/run/fail2ban:ro
+      - ../data/fail2ban-dev-config:/config:rw
+    networks:
+      - bangui-net
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:8000/api/v1/health/live || exit 1"]
+      interval: 30s
+      timeout: 10s
+      start_period: 40s
+      retries: 3
+
+  # ── Frontend (nginx serving built SPA) ──────────────────────
+  frontend:
+    build:
+      context: ..
+      dockerfile: Docker/Dockerfile.frontend
+    container_name: bangui-frontend
+    restart: unless-stopped
+    depends_on:
+      backend:
+        condition: service_healthy
+    ports:
+      - "${BANGUI_PORT:-8080}:80"
+    networks:
+      - bangui-net
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO /dev/null http://localhost:80/ || exit 1"]
+      interval: 30s
+      timeout: 5s
+      start_period: 5s
+      retries: 3
+
+volumes:
+  fail2ban-run:
+    driver: local
+
+networks:
+  bangui-net:
+    driver: bridge